Tuesday, April 1, 2008

Security Fix: xine-lib

Another batch of updates has been released today along with one security fix for xine-lib. This time, a replacement for util-linux is now available along with some modification for mysql (administrator should look on the /etc/rc.d/rc.mysqld for changes that Pat noted).

Here's the latest -Current changelog:
Tue Apr 1 02:41:32 CDT 2008
a/acl-2.2.47_1-i486-1.tgz: Upgraded to acl-2.2.47_1.

a/attr-2.4.41_1-i486-1.tgz: Upgraded to attr-2.4.41_1.

a/etc-12.1-noarch-4.tgz: Give the mysql user a /bin/false "shell".
Thanks to Noel for the suggestion.

a/lilo-22.8-i486-12.tgz: Fixed a bug where liloconfig might not properly determine the root directory where /boot is found.

a/sysvinit-scripts-1.2-noarch-20.tgz: Fixed a bug in rescan-scsi-bus that was exposed by the CONFIG_SCSI_MULTI_LUN kernel option (which _should_ also make rescan-scsi-bus unneccessary). Thanks to Kem Prims for the bug report.
Keep /usr/share/mime's mime.cache file updated.

a/util-linux-2.12r-i486-6.tgz: Removed. See below.

a/util-linux-ng-2.13.1-i486-1.tgz: Added util-linux-ng-2.13.1, which replaces the old util-linux package. To install, either use upgradepkg with the "%" option, or do this: installpkg util-linux-ng-2.13.1-i486-1.tgz ; removepkg util-linux ; installpkg util-linux-ng-2.13.1-i486-1.tgz
Thanks to Robby Workman for a lot of help with this package update.

a/xfsprogs-2.9.7_1-i486-1.tgz: Upgraded to xfsprogs-2.9.7_1.

ap/alsa-utils-1.0.15-i486-3.tgz: Don't load the mixer settings until after the OSS modules have been loaded. Eliminate 'awk' usage in rc.alsa, using sed and tr instead. Thanks to Tomas Matejicek for the patch.

ap/dmapi-2.2.8_1-i486-1.tgz: Upgraded to dmapi-2.2.8_1.

ap/man-pages-2.79-noarch-1.tgz: Upgraded to man-pages-2.79, and retained the POSIX pthread_* man pages this time. Thanks to Rastislav Stanik.

ap/mysql-5.0.51a-i486-2.tgz: Modified /etc/rc.d/rc.mysqld's database installation instructions to take into consideration that the mysql user no longer has a login shell. In addition, the admin is told to consider locking the database server down even further (if possible) by using the mysql_secure_installation utility. Thanks again to Noel.

ap/xfsdump-2.2.48_1-i486-1.tgz: Upgraded to xfsdump-2.2.48_1.

l/libglade-2.6.2-i486-2.tgz: Rebuilt with --libdir=/usr/lib. Without this, libglade-2.0.la incorrectly inserts '/usr/local/lib' in the .la file.
Thanks to Steve Kennedy for the bug report.

l/libgsf-1.14.8-i486-1.tgz: Upgraded to libgsf-1.14.8.

n/net-tools-1.60-i486-2.tgz: Recompiled with latest Debian patch.

n/nfs-utils-1.1.2-i486-1.tgz: Upgraded to nfs-utils-1.1.2.

n/nmap-4.60-i486-3.tgz: Fixed the build script (third time's the charm?) to use DESTDIR and remove the one item (useless, IMHO, within a package system) that still can't get DESTDIR right: uninstall_zenmap.
Thanks to Conraid and Mauro Ghisoni for walking me through this one. :-)

n/openssh-4.9p1-i486-1.tgz: Upgraded to openssh-4.9p1.

n/wget-1.11.1-i486-1.tgz: Upgraded to wget-1.11.1.

x/scim-1.4.7-i486-5.tgz: Fixed scim.desktop to have more information, and to place the SCIM startup utility in the "Utilities" menu rather than having it fall into "Lost & Found". Thanks to Hon Yuen Kwun for the initial patch.

x/xf86-video-intel-2.2.99.902-i486-1.tgz: Upgraded to xf86-video-intel-2.2.99.902.

xap/xine-lib-1.1.11.1-i686-1.tgz: Earlier versions of xine-lib suffer from an integer overflow which may lead to a buffer overflow that could potentially be used to gain unauthorized access to the machine if a malicious media file is played back. File types affected this time include .flv, .mov, .rm, .mve, .mkv, and .cak.
For more information on this security issue, please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482
(* Security fix *)

isolinux/initrd.img: Patched to have /etc/fstab mount /dev/shm. Updated XFS utilities.
usb-and-pxe-installers/: Patched to have /etc/fstab mount /dev/shm.
Updated XFS utilities.